Spotlight on Surveillance: September 2007

Proposed 'Enhanced' Licenses Are Costly to Security and Privacy

EPIC's "Spotlight on Surveillance" project scrutinizes federal government programs that affect individual privacy. For more information, see previous Spotlights on Surveillance. This month, Spotlight shines on "enhanced" driver's licenses, run by the Department of Homeland Security in conjunction with Arizona, Vermont, and Washington as part of the Western Hemisphere Travel Initiative ("WHTI").

The Department of Homeland Security's Fiscal Year 2008 budget request is $46.4 billion, an 8 percent increase over last year.[1] This includes a $10.2 billion proposed budget for the agency's U.S. Customs and Border Protection division, which seeks to spend $252 million on the Western Hemisphere Travel Initiative.[2] The so-called "enhanced" driver's licenses are being proposed to fulfill WHTI requirements.[3]

The Intelligence Reform and Terrorism Prevention Act of 2004 mandated that, by January 2008, the departments of Homeland Security and State develop and implement a plan to require U.S. citizens and foreign nationals to present a passport or other documents to prove identity and citizenship when entering the United States from certain countries in North, Central or South America.[4] This program, the Western Hemisphere Travel Initiative, has the greatest effect upon U.S. citizens who routinely cross the border. Accepted documents for U.S. citizens would include a valid U.S. passport, a trusted traveler card (under government programs such as NEXUS, FAST, or SENTRI), or an "enhanced" driver's license currently under development in three states: Arizona, Washington and Vermont.[5] This is a significant change from the previous system, where U.S. citizens would show a driver's license, birth certificate or nothing at all to cross the border. Approximately 23 million U.S. citizens cross the border to Mexico or Canada about 130 million times per year.[6]

Arizona, Vermont and Washington are piloting "enhanced" driver's license programs. The licenses will be more expensive than current ID cards and include more data, including citizenship status.

A so-called "enhanced" driver's license or identification card contains more data and different technology than current licenses and ID cards. Citizenship designations and wireless radio frequency identification ("RFID") technology chips will be added to the cards. Under the Western Hemisphere Travel Initiative, these new cards will be used as border identity documents. Arizona, Washington and Vermont are creating such RFID-enabled cards through pilot programs.[7] As the Department of Homeland Security and the states have said that requirements for these new licenses will be similar in the three states, Vermont's proposal can be used as an example.

In Vermont, applicants for "enhanced" driver's licenses "will be required to apply in-person […] have a photo taken, be interviewed by DMV staff, and provide documentation to prove U.S. citizenship, identity, and Vermont State residency."[8] Also, the proposed document "will NOT be issued same day. A temporary license will be issued and the ["enhanced" driver's license] will be mailed. The temporary license will not be accepted as a border crossing document," and the RFID-enabled license containing citizenship designation would be delivered about a week later.[9]

These federally approved licenses will contain "at the minimum, the issue date, the citizens [sic] date of birth, gender, address, signature, Vermont license number and a full color facial photograph" and "citizenship status will be depicted," testified Bonnie Rutledge, Director of the Vermont Department of Motor Vehicles, at a recent hearing on identification cards in the U.S. House.[10] All this data will be included on both the machine-readable zone (black strip on the back of the card) and long-range radio frequency identification chip in the card.[11]

An RFID tag or chip will trasmit information to a reader, which will communicate those results to a database. This database is often linked to other databases and, possibly, the Internet.

Radio Frequency Identification ("RFID") is a type of automatic identification system. As detailed in "Privacy and Human Rights 2006: An International Survey of Privacy Laws and Developments," the purpose of an RFID system is to enable data to be transmitted by a portable device, called a tag, which is read by an RFID reader and "processed according to the needs of a particular application. 'Passive' RFID tags do not have an internal power source, but derive power indirectly from the interrogating signal of a reader, while 'active' RFID tags are self-powered. […] The data transmitted by the tag may provide identification, location or other information."[12]

Vermont's "enhanced" driver's licenses will have passive long-range RFID tags that will include a "unique identifying number that will access the Vermont DMV database to retrieve the information contained on the front of the enhanced driver's license identification card."[13] EPIC and others have repeatedly highlighted security and privacy problems connected with using long-range (also called "vicinity") RFID chips in identification documents.[14] "Privacy and Human Rights 2006" explains, "RFID readers are often connected to computer networks, facilitating the transfer of data from the physical object to databases and software applications thousands of miles away and allowing objects to be continually located and tracked through space."[15]

DHS has admitted that long-range RFID tags have been read from as far away as 30 feet.[16] Other tests show the tags can be read from 70 feet or more, which poses a significant risk of unauthorized access.[17]

In December 2006, the Department of Homeland Security Data Privacy and Integrity Advisory Committee ("DPIAC") adopted a report, "The Use of RFID for Human Identity Verification," which included recommendations concerning the use of RFID in identification documents.[18] The committee outlined security and privacy threats associated with RFID, and it urged against using RFID technology unless the technology is the "least intrusive means to achieving departmental objectives."[19] The long-range RFID-enabled driver's licenses are not the least intrusive means. For example, an individual could hand her license to a border control official. The proposed "enhanced" driver's licenses fail to comply with the DHS Data Privacy and Integrity Advisory Committee's recommendations regarding the use of RFID technology.

The ability to track individuals was one of the numerous privacy and security weaknesses detailed by EPIC in August comments to the Department of Homeland Security about the WHTI passport card, which will use the same long-range RFID technology as "enhanced" driver's licenses.[20] EPIC noted that the Government Accountability Office ("GAO"), the investigative arm of Congress, did not endorse the use of such technology in ID documents, in part because of this ability.

In Congressional testimony in March 2007, a GAO official cautioned against the use of RFID technology to track individuals. "Once a particular individual is identified through an RFID tag, personally identifiable information can be retrieved from any number of sources and then aggregated to develop a profile of the individual. Both tracking and profiling can compromise an individual's privacy," the GAO said. The GAO reiterated the many problems with the failed US-VISIT RFID project and expressed concern that, despite this failure, DHS endorsed the use of RFID in the WHTI passport card. (internal citations omitted)[21]

Members of the RFID industry have joined privacy and civil liberties groups and the Government Accountability Office in rejecting long-range RFID for identification documents. The Smart Card Alliance, an industry group, has urged against using RFID in "enhanced" driver's licenses.[22] Randy Vanderhoof, the organization's executive director, has said, "Long-range RFID is meant for tracking packages in a warehouse" and not for tracking individuals.[23]

In the August comments about the WHTI PASS card, EPIC also described a failed DHS pilot program that used long-range RFID in ID documents. In 2005, DHS began testing RFID-enabled I-94 forms in its US-VISIT program to track the entry and exit of visitors. The RFID-enabled forms stored a unique identification number, which is linked to data files containing foreign visitors' personal data. EPIC warned that this flawed proposal would endanger personal privacy and security, citing the plan's lack of basic privacy and security safeguards. The DHS's Inspector General echoed EPIC's warnings in a July 2006 report. In the end, DHS abandoned the problem-filled project.[24]

The new "enhanced" driver's licenses include the same problems already highlighted in the proposal for the WHTI PASS cards. Fiscal concerns and questions about privacy and security safeguards of the PASS cards led Sen. Leahy to co-sponsor, with Sen. Ted Stevens of Alaska, legislation to postpone implementation of the Western Hemisphere Travel Initiative until certain requirements are met.[25] The legislation mandates that the departments of Homeland Security and State "ensure that the technology for any Passport Card (PASS Card) meets certain security standards - and that the National Institutes of Standards and Technology certify the technology chosen by DHS and State."[26]

Upon learning of the State Department's plan for the PASS card technology, which the "enhanced" driver's license proposals will likely echo, Sen. Leahy expressed disappointment. "This draft rule shows the importance of our reforms to improve the PASS Card system and to make these agencies more accountable […] Without even testing the technology for use as a passport or personal ID, they have chosen a weaker security standard that would make our borders less secure and that would risk the personal information of millions of Americans," he said.[27]

Washington state expects to release its new RFID-enabled, citizenship-designated, licenses in January 2008.

There are other problems with these federally approved licenses beyond the security and privacy weaknesses connected with using long-range RFID technology. DHS, Arizona, Vermont and Washington are creating these new ID cards in order to change the state driver's license in to a federal border security identification document. The license is pulled away from its original intent - to ensure driving competence - and used as a multi-use federal identification document that could easily be transformed into a national identity card.

The Department of Homeland Security already is seeking to create such a national identification card under the controversial REAL ID Act, which would require state motor vehicle departments fulfill federal immigration duties by authenticating "source" documents such as certified birth certificates and immigration papers in order to ensure the legal citizenship status of applications.[28] The federally approved licenses proposed for Arizona, Vermont and Washington would require citizenship status be printed on the front of the card and included in the machine readable zone and RFID chip. In fact, DHS Secretary Michael Chertoff has said that of the proposed "enhanced" driver's license, "it's kind of a REAL ID with an additional feature […] a chip."29]

In May, EPIC and 24 experts in privacy and technology described the problems associated with the creation of such a federal national identification card, especially the difficulties that individuals who did not carry the card might suffer.[30] If identification cards "were to signify citizenship, there would be intense scrutiny of and discrimination against individuals who chose not to carry the national identification card and those who 'look foreign.'"[31]

EPIC also explained the difficulties that state motor vehicle departments would have in attempting to ensure the citizenship status of applicants, a federal duty, rather than the driving competence of applicants, a state duty. These same difficulties would arise under the proposed RFID-enabled, citizenship-designated licenses. First, "[t]here are questions as to whether some citizens could produce these [source] documents, among them Native Americans, victims of natural disasters, domestic violence victims, the homeless, military personnel, or elderly individuals."[32] Some people do not have and/or cannot afford to order these documents, such as certified birth certificates.

Second, state motor vehicle department employees would be ill-prepared to verify the source documents the applicants would be required to produce.[33] EPIC questioned "how well State DMV employees would be able to spot fraudulent documents, especially documents as rarely seen as consular reports of birth abroad, with merely 12 hours of training when it is difficult for counterfeit documents to be spotted by federal employees whose primary job is verification of source documents."[34]

A third difficulty is that state motor vehicle departments would be required to rely on non-existing, unavailable or erroneous federal databases in order to verify source documents and citizenship status. Two of four verification systems required are not available on a nationwide basis and third does not even exist.

The systems needed to establish data authenticity are: (1) Electronic Verification of Vital Events ("EVVE"), for birth certificate verification; (2) Social Security On-Line Verification ("SSOLV"), for Social Security Number verification; (3) Systematic Alien Verification for Entitlements ("SAVE"), for immigrant status verification; and (4) a State Department system to verify data from "U.S. Passports, Consular Reports of Birth, and Certifications of Report of Birth." EVVE is in pilot phase and only eight states are participating.[35] DHS admits that only 20 states are using SAVE.[36] The State Department system to verify passports and some reports of births has not been created.[37]

The only system available for nationwide deployment is SSOLV, but it contains numerous errors. SSOLV depends on data gathered in a system whose mistakes are well-known, the Numerical Identification File ("NUMIDENT"). The Social Security Administration's Inspector General estimated that about 17.8 million records in the NUMIDENT have discrepancies with name, date of birth or death, or citizenship status.[38] About 13 million of these incorrect records belong to U.S. citizens.[39]

Federal reviews have found such data "seriously flawed in content and accuracy."[40] In a recent opinion granting a temporary restraining order enjoining the Department of Homeland Security from implementing a new "no-match" employment eligibility verification proposal, the federal judge noted "the government recognizes, the no-match letters are based on SSA records that include numerous errors."[41]

Implementation of WHTI at land borders is planned for January 2009, though there has been discussion of delaying the start date to June 2009 because of myriad problems with implementation.[42] For example, the State Department admitted in June that there is a significant backlog in processing passports because of, among other things, "miscalculation" in preparing for implementation of the Western Hemisphere Travel Initiative ("WHTI").[43] The "miscalculation" was so severe that the Department of Homeland Security had to delay full implementation of WHTI from January 2007 until September 2007.[44]

Not only will the federally approved RFID-enabled, citizenship designated ID cards come with all of these problems, but they also will cost more than regular licenses. Vermont and Washington have estimated that their proposed "enhanced" driver's licenses would cost $15 to $20 more than regular licenses.[45] Washington expects to release its new license in January 2008.[46] Vermont's proposed licenses are expected in Fall 2008.[47] Arizona's governor says that the state's new identification cards will be released sometime in 2008, and the cost of the cards is unknown.[48]

[5] If adopted as proposed, the WHTI PASS Card would include a long-range wireless technology that would create significant security and privacy risks. See EPIC, Spotlight on Surveillance, Homeland Security PASS Card: Leave Home Without It (Aug. 2006), available athttp://www.epic.org/privacy/surveillance/spotlight/0806/. Depending upon the final rules issued by DHS, some other, more obscure documents might be accepted, such as a Merchant Mariner Document.

[20] EPIC, Comments on Docket No. USCBP-2007-0061: Proposed Rule: Documents Required for Travelers Departing From or Arriving in the United States From Within the Western Hemisphere (Aug. 1, 2007) [hereinafter "EPIC August 2007 Comments About WHTI"], available athttp://www.epic.org/privacy/rfid/whti_080107.pdf.

[24] The DHS Inspector General found "security vulnerabilities that could be exploited to gain unauthorized or undetected access to sensitive data" associated with people who carried the RFID-enabled I-94 forms. In a January report, the GAO also identified numerous performance and reliability problems in RFID-enabled US-VISIT documents. The many problems with the RFID-enabled identification system led Homeland Security Secretary Michael Chertoff to admit in Congressional testimony on February 9, 2007 that the pilot program had failed, stating "yes, we're abandoning it. That's not going to be a solution" for border security. The pilot test was a failure, in part, because, as the GAO report found, "[t]he RFID solution did not meet the statutory requirement for a biometric exit capability because the technology as tested cannot meet a key goal of US-VISIT - ensuring that visitors who enter the country are the same ones who leave." EPIC August 2007 Comments About WHTI at 14-15, supra note 20.

[33] EPIC explained in its REAL ID comments that DHS contemplated this problem and sought to solve it by requiring that DMV employees handling source documents undergo 12 hours of "fraudulent document recognition" training. However, a review of the Social Security Administration found that staff had difficulty recognizing counterfeit documents, though it is their primary job to verify these documents before issuing SSN. For example, the Government Accountability Office review reported difficulty with detection of fraudulent birth certificates. In one case, a fake in-state birth certificate was detected, but "SSA staff acknowledged that if a counterfeit out-of-state birth certificate had been used, SSA would likely have issued the SSN because of staff unfamiliarity with the specific features of numerous state birth certificates." Id. at 15.

[42] Congress is debating legislation requiring DHS to delay WHTI implementation at land border entry points until June 2009. See EPIC August 2007 Comments About WHTI, supra note 20.

[43]Hearing on the Passport Backlog and the State Department's Response to the Western Hemisphere Travel Initiative Before the S. Comm. on Foreign Relations, 110th Cong. (June 19, 2007) (testimony of Maura Harty, Ass't Sec'y for Consular Affairs, Dep't of State), available athttp://www.senate.gov/~foreign/hearings/2007/hrg070619p.html.